Fixes are available
APAR status
Closed as program error.
Error description
You might click a link invoking a service with XML Injection that results in an unhandled service failure situation that could expose sensitive data.
Local fix
Problem summary
You might click links that inject scripts in callService.do by using an XML entity in the service input parameters. Local file content might be returned to the service failure error page. PRODUCTS AFFECTED: IBM Business Process Manager (BPM) Advanced IBM BPM Standard IBM BPM Express WebSphere Lombardi Edition (WLE)
Problem conclusion
A fix for all releases of IBM BPM and WLE is available that fixes the XML injection vulnerabilities by setting the XML parser to follow the latest security definitions. On Fix Central (http://www.ibm.com/support/fixcentral), search for JR50616: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR50616, and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix.
Temporary fix
Comments
APAR Information
APAR number
JR50616
Reported component name
BPM STANDARD
Reported component ID
5725C9500
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-06-27
Closed date
2014-08-14
Last modified date
2014-08-14
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM STANDARD
Fixed component ID
5725C9500
Applicable component levels
R751 PSY
UP
R801 PSY
UP
R850 PSY
UP
R855 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
16 October 2021